linux/sound/usb
Hui Peng 5f8cf71258 ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c
If a USB sound card reports 0 interfaces, an error condition is triggered
and the function usb_audio_probe errors out. In the error path, there was a
use-after-free vulnerability where the memory object of the card was first
freed, followed by a decrement of the number of active chips. Moving the
decrement above the atomic_dec fixes the UAF.

[ The original problem was introduced in 3.1 kernel, while it was
  developed in a different form.  The Fixes tag below indicates the
  original commit but it doesn't mean that the patch is applicable
  cleanly. -- tiwai ]

Fixes: 362e4e49ab ("ALSA: usb-audio - clear chip->probing on error exit")
Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Hui Peng <benquike@gmail.com>
Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-12-03 16:09:38 +01:00
..
6fire ALSA: pcm: Nuke snd_pcm_lib_mmap_vmalloc() 2018-07-18 08:24:29 +02:00
bcd2000 sound updates for 4.15-rc1 2017-11-14 18:01:46 -08:00
caiaq ALSA: caiaq: Add fall-through annotation 2018-10-12 09:31:26 +02:00
hiface ALSA: pcm: Nuke snd_pcm_lib_mmap_vmalloc() 2018-07-18 08:24:29 +02:00
line6 ALSA: line6: stop using get_seconds() 2018-06-18 17:56:29 +02:00
misc ALSA: pcm: Nuke snd_pcm_lib_mmap_vmalloc() 2018-07-18 08:24:29 +02:00
usx2y treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
card.c ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c 2018-12-03 16:09:38 +01:00
card.h ALSA: usb-audio: AudioStreaming Power Domain parsing 2018-07-31 15:01:30 +02:00
clock.c ALSA: usb-audio: Allow changing from a bad sample rate 2018-07-19 08:44:46 +02:00
clock.h ALSA: usb: initial USB Audio Device Class 3.0 support 2018-03-21 11:46:33 +01:00
debug.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
endpoint.c ALSA: usb-audio: remove redundant pointer 'urb' 2018-08-01 14:00:32 +02:00
endpoint.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
format.c sound fixes for 4.18-rc1 2018-06-15 17:24:40 +09:00
format.h ALSA: usb: initial USB Audio Device Class 3.0 support 2018-03-21 11:46:33 +01:00
helper.c ALSA: usb-audio: correct speed checking 2016-05-08 11:42:04 +02:00
helper.h ALSA: usb-audio: Drop superfluous ifndef 2018-05-24 11:19:42 +02:00
Kconfig ALSA: us122l: enable compile testing 2017-05-15 11:02:14 +02:00
Makefile ALSA: usb-audio: Initial Power Domain support 2018-07-31 15:01:22 +02:00
midi.c ALSA: rawmidi: A lightweight function to discard pending bytes 2018-10-04 20:13:17 +02:00
midi.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mixer_maps.c ALSA: usb: add UAC3 BADD profiles support 2018-05-13 08:54:35 +02:00
mixer_quirks.c ALSA: usb-audio: Add custom mixer status quirks for RME CC devices 2018-10-05 10:18:59 +02:00
mixer_quirks.h ALSA: usb-audio: Initialize Dell Dock playback volumes 2018-05-02 16:02:32 +02:00
mixer_scarlett.c ALSA: usb-audio: Clean up mixer element list traverse 2018-05-03 12:35:19 +02:00
mixer_scarlett.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mixer_us16x08.c ALSA: usb: Avoid VLA in mixer_us16x08.c 2017-05-31 08:46:19 +02:00
mixer_us16x08.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mixer.c ALSA: usb-audio: Mark expected switch fall-through 2018-08-09 08:52:33 +02:00
mixer.h ALSA: usb-audio: Declare the common variable in header file 2018-07-26 08:32:00 +02:00
pcm.c ALSA: usb: Mark expected switch fall-through 2018-08-01 20:32:06 +02:00
pcm.h ALSA: usb-audio: Add UAC3 Power Domains to suspend/resume 2018-07-31 15:01:36 +02:00
power.c ALSA: usb-audio: Initial Power Domain support 2018-07-31 15:01:22 +02:00
power.h ALSA: usb-audio: Initial Power Domain support 2018-07-31 15:01:22 +02:00
proc.c ALSA: usb-audio: Avoid nested autoresume calls 2015-08-26 15:38:25 +02:00
proc.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
quirks-table.h ALSA: usb-audio: Add vendor and product name for Dell WD19 Dock 2018-11-28 10:59:49 +01:00
quirks.c ALSA: usb-audio: Add SMSL D1 to quirks for native DSD support 2018-11-29 08:49:24 +01:00
quirks.h ALSA: usb-audio: move audioformat quirks to quirks.c 2018-03-19 17:00:12 +01:00
stream.c ALSA: usb-audio: Fix invalid use of sizeof in parse_uac_endpoint_attributes() 2018-08-02 07:26:37 +02:00
stream.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
usbaudio.h ALSA: usb-audio: Allow non-vmalloc buffer for PCM buffers 2018-05-29 10:01:54 +02:00